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TELECOMMUNICATION TERMINAL COMPRISING TWO EXECUTION SPACES 

The Invention concerns tii& execution of programmes and 
applications on a computing device with user interface 
5 (keyboard, monitor, sound card, touch-sensitive area, mouse 
etc..) e.g. on a domestic gateway, a sales machine (public 
machine for example) or a telecommimications terminal (from PC 

to mobile phone) • 

Different approaches are known for implementing 
10 applications in telecommunications terminals. 

For example the MIDP 2.0 profile on a virtual machine 
uses a security policy based on open standards, easy to use, 
placing no demand on the user, which takes into account the 
needs of each person concerned from development to execution 
15 (the concepts of user, operator, OEM, trusted third party are 
separated) • 

It affords protection of integrity and verification of 
the origin of applications during their downloading and 
execution, control of access to critical resources in 

2 0 accordance with a security policy, user alerting of operations 

in progress and can even request user opinion. 

The security policy is taken into consideration in fairly 
simple manner at an API to be protected by having recourse to 
the "check permission" method of the "Midlet" class (figure 
25 2) - 

This requires that the call function of the MIDP file 
should not be directly accessible from MIDP programmes 
(protected fianction) . 

The MIDP 2.0 security policy is well adapted to the needs 

3 0 of the various persons concerned. The possibility of 

requesting user opinion in accordance with a certain number of 
criteria (always, once, for one session, never) is highly 
advantageous . 
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Nonetheless its implementation raises two types of 
problems . 

Firstly execution of the protected procedure is made in 
the same execution space as the caller programme, which 
5 facilitates the risk of "leaks". Let us imagine a ciphering 
service called by two midlets simultaneously, there is nothing 
to guarantee, if little attention is paid thereto, that one 
midlet may recover the content of the private key used by the 
other midlet . 

10 The first problem is therefore lack of security, in 

particular for risk applications such as payment, signature or 
DRM applications for example. 

Moreover, some feats have shown that with an 
implementation error it is possible to override this 

15 permission system. 

The second problem of the MIDP profile is raised by the 
specifications of the MIDP profile itself. It is not adapted 
to the formal proof method for programmes. This raises a 
problem in some sectors (banking sectors in particular) in 

20 which a midlet cannot be modelled by fomal methods, and hence 
cannot be checked by these methods . 

In other words, no technique exists with which it is 
possible to prove validity, via formal methods, with respect 
to the specifications of a programme programmed in this 

25 profile. 

Another profile, the STIP profile, is more especially 
adapted for providing access to security-orientated APIs, such 
as SIM access. 

STIP virtual machines (figure 3) are used for the 
30 functioning of programmes especially written for the STIP 
profile . 

The other asset of STIP is that its programming model and 
its APIs lend themselves well to analysis by formal methods. 
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This is what prompted its adoption by the banking sector since 
code conformity to specifications can be proved by formal 
method. 

Therefore the STIP profile used in the banking sector, 
5 through its limitations / is adapted to programme proof 
checking . 

However the STIP profile was arranged for closed systems 
(untrusted applications cannot be downloaded with impunity) . 

Therefore no security model is set up (in version 2.1.1, 
10 of the specification) and hence any STIP application (stiplet) 
can access any API of STIP type that has already been 
implemented . 

The STIP profile is thus not adapted for producing 
terminals in which a user is likely to download and implement 
15 current applications such as games or various utility 
applications . 

The purpose of the invention is to propose a 
configuration with which it is possible, in a 
telecommunications terminal, to implement various user 
20 applications and also applications requiring a high level of 
security. 

The invention also sets out to facilitate the programming 
and implementing of applications, in particular by 
facilitating the certification of the proper functioning of 

25 newly programmed applications. 

It is true that the principle is known of mobile 
telephones hosting two virtual machines in the physical form 
of two processors, one formed by the terminal itself and the 
other formed by the SIM card. 

3 0 The SIM card checks high security requirements, whilst 

the processor of the terminal itself and its content are 
accessible to the user. 
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However^ said implementation still has some major 
disadvantages . 

Therefore another purpose of the invention is to propose 
a device which may or may not be network associated, in which 
5 advantage is taken of a securitized apace and a non- 
securitized space, e.g. by allowing the securitized space to 
access user interfaces such as keyboard or monitor instead of 
the non-securitized space, and conversely allowing a non- 
securitized space to access a securitized communication with a 

10 known operator to guarantee said security. As security 
operator, particular mention may be made of telephony 
operators, mobile telephone operators in particular, banks, 
suppliers of multimedia items with selective or paying 
distribution, searvice providers requiring electronic signature 

15 via said device - 

Suppliers of multimedia items with selective distribution 
are particularly "DRMs" 'Digital Rights Management) these 
servers delivering a content that typically relates to music, 
video, or games under licence, and in a file form which can be 

20 read under various constraints e.g. a certain number of times. 

One purpose of the invention is to propose said means in 
which, in addition, there is certainty that the two associated 
executions spaces (one with a higher security level than the 
other) are effectively those which are Intended or permitted 

25 to be associated with each other aJb initio. 

These purposes are achieved through the invention by 
means of a computing device with user interface comprising 
means for implementing a series of applications, these means 
including in particular a virtual machine/functioning profile 

30 execution space, the device comprising a second virtual 
machine/functioning profile execution space differing from the 
first by at least its virtual machine or its functioning 
profile, each execution space hosting applications, the 
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applications of the second execution apace being applications 
with a specifically higher security level than the 
applications of the first execution space on account of the 
fact that the applications of the first execution space are 
5 applications set up and activated by the teartninal user, whilst 
the applications of the second execution space are 
applications which cannot be modified by the terniinal user, 
characterized in that the two execution spaces are hosted by a 
physical processing means which is arranged so that it cannot 
10 be separated into two parts without destroying this physical 

processing means . 

The invention also proposes a method for implementing 
applications within a computing device with user interface, 
the method having recourse to means for implementing a series 

15 of applications, these means including in particular a virtual 
machine /functioning profile execution apace and a second 
virtual machine/ functioning profile execution space differing 
from the first by at least its virtual machine or its 
functioning profile, each execution space hosting 

20 applications, the applications of the second execution space 
being applications with a specifically higher security level 
than the applications of the first execution space on account 
of the fact that the applications of the first execution space 
are applications set up and activated by the terminal user, 

25 whilst the applications of the second execution space are 
applications which cannot be modified by the terminal user, 
characterized in that the two execution spaces are hosted by a 
physical processing means which is arranged so that it cannot 
be separated into two parts without destroying this physical 

30 processing means. 

Other characteristics, purposes and advantages of the 
invention will become apparent on reading the following 



FromrCABINET REGIMBEAU 



0144293599 



21/06/2006 16:56 #007 P. 028/051 



6 

S I' 



detailed description which refers to ^ 
whic^h- r-erers to the appended figure, 



which 

- figure i is 



in 



10 



25 



30 



1^1 " schematic illustrating « midp 

implementation of the prior art 

Of protect?"" ' " schematic illustrating the implementation 
protectxon means in a said MIDP implementation, 

- figure 3 is a schematic illuBtra^■i«r, » 
implementation illustrating a prxor art STIP 

- figure 4 illustrates a functional configuration of an 
-ventive terminal according to a preferred variant 

The particular embodiment described below makes it 

" Thia "'""'^^ i= ^ therein, .he „IDP profile 

This profile is very Dooular- <„ f,, , prorixe. 

oreatlno Popular in the world of cell phones for 

' r """^^ applic«ions. Xhe user is 

it thl sir ™° «PP"ceeions found on the networ. 

pLfile r r " • flephone. xhe „lpp 

profile therefore includes applicstions set up end activate! 
by the users themselves. i-J-vacea 

Here the STIP profile forms an additional profile and 
more specifically ar, .. ^ prorxie, and 

well ! "operator" profile. The STiP profile is 

well adapted to applications requiring a hioh 

« i« , *'^M"j-xxiig a nign securitv liav^i 

pT:ce:\he"""^ «PPl-«ions. aanKin. consortium havral^d; 

certU :;„""r l'" — -thods to 

STIP applications for their Hm«i 

,■ cneir implementation 

electronxc payment terminals (EPT) . 

With the present invention it is rh^^^i^ 
provide developers with an « ^^--^^o- possible to 

execution is eluded in a "^^""^'^ 

ensured m an execution space appropriate fo^ 
easy programming by these developers a sn.. ^PJ^P^^^e for 
not of exopers, a space of whether or 

not of same profile, and fully separate. 



20 



in 
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This eitibodiment therefore enables operators to provide a 
batch of securitized applications such as payments, signature 
or DRM, that is fully independent from the execution profile 
for "routine" applications. 
5 The terminal shown figure 4 includes and causes to 

operate in harmony two virtual machines 100 and 200 of 
separate profiles PI and P2 (or not separate) . One 100 of the 
two machines is dedicated to user applications, the other 2 00 
to operator applications. 
10 The corresponding profiles PI and P2 , here respectively 

the MIDP profile and the STIP profile, are themselves 
respectively dedicated to user applications and operator 

applications . 

Figure 4 shows two virtual machines 100 and 200. 

15 The "user" virtual machine 100 can be used by the user to 

download, install, uninstall, execute, stop applications in 
the MIDP profile as and when desired. The applications 110 
operating therein use the API 120 of this profile and an API 
"stub" having the same profile as the machine 100, this API 

20 stvib being referenced 130 in figure 4. 

The second machine, referenced 200 is the "operator" 
virtual machine: only the operator e.g. the mobile telephone 
operator or the internet operator (access supplier) , via an 
over the Air (OTA) mechanism, is able to administrate this 

25 execution space. 

The operator can, at will, install, uninstall, activate, 
deactivate therein applications 210 written as per the 
formalism of profile 100. These applications 210 have access 
to APIs 220 of profile P2 and to one or more high level APIs 
30 illustrated under reference 230 in figure 4. 

These high level APIs 230 allow access to services 
offered by the profile of machine 100. API access, whether 
from the profile of machine 200 or the stub 230 to the profile 
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of machine 100 is made in accordance with the security model 
inherent in the profile of machine 200. 

The API "stub" 130 is a high level API, expressed as per 
the programming model of profile 100, providing access to 
5 services offered by profile P2 . API access, whether to the 
profile of the machine 100 or a stub 130 is made in accordance 
with the security model inherent in the profile PI of machine 
100. 

The functioning of stubs 130 and 230 is as follows: 
10 The call to an API of stub 13 0, 23 0 is converted into a 

flow of octets (called either serialization process or 
marshalling /unmarshalling) . 

This flow is received by a manager 14 0, 240 of the 
opposite profile via a communication channel 300, deserialized 
15 and converted into execution of a procedure in the remote 
profile. The return execution of this procedure is again 
serialized in the remote profile and passes again in the 
communication channel 300 between the two profiles PI and P2 
of machines 100 and 200, the reply is deserialized in the 
20 original profile and converted into a return call of the API 
"stub" . 

In this way there are two independent execution spaces 
each consisting here of a different machine and a different 
profile, and in very close relationship via the API stxib 13 0 
25 and 230. 

As a variant, the two profiles PI and P2 may be of same 
type e.g. two MIDP profiles or two STIP profiles for two 
different machines . 

It will also be noted that it is possible to adopt two 
30 different profiles PI and P2 within one same virtual machine. 

This embodiment therefore offers a payment API to 
developers of MIDP applications, in which the payment itself 
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is made under the execution of a virtual STIP machine 
controlled by the operator. 

In other words, a MIDP application, easily developed, 
could offer the user a means of payment by causing a payment 
5 application of machine 200 to operate via the communication 
channel 300. A MIDP application, through the invention, is 
therefore able to offer a payment functionality that is highly 
reliable . 

The two execution spaces 100 and 200 each formed of a 
10 virtual machine/ execution profile pair, differing from one 
another through the profile or the virtual machine, are both 
implemented however by one same physical processing device 4 00 
(same hardware entity 400) . 

This processing device hosting the two execution spaces 
15 is unique in that it cannot be divided into two without 
destroying its functioning. 

It is therefore impossible to physically separate the two 
execution spaces, and it is hence also impossible to associate 
a space thus separated with another space which is not 
20 authorized. 

Said achievement with a single means is obtained for 
example by implementing the two execution spaces on one same 
integrated circuit forming a single processor. 

It is thereby ensured that two environments, one 
25 securitized and the other non-securitized, are inseparable- 

The security offered by an operator (telephony, banking, 
signature administration, multimedia distributor) is thereby 
improved whether to prevent security overriding in payment 
functions, to ensure confidentiality or non-usurpation of 
30 secret codes, to ensure reliability of electronic signatures 
or to monitor limited user rights for payable services. 

Advantageously the PI, P2 profiles of each of the two 
execution spaces 100, PI, 200, P2 are respectively a STIP 
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profile and a profile foming part of the group made up of 
STIP, MIDP, OSGI and ".net" profiles. 



